ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

asdsadasd

An end-to-end AI Content Pipeline that crawls articles, rewrites them using Google Gemini, and automatically publishes to Facebook Fanpage.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 61 · 0 current installs · 0 all-time installs
byPhan Văn Năng@yunneetoichoi
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (AI crawl + Gemini rewrite + Facebook publish) maps to the provided code: crawler, writer (Gemini), image generator (OpenAI DALL·E optional), and Facebook publisher. Declared env vars in SKILL.md (Gemini, Apify, FB app/page tokens) align with the functionality. Minor inconsistency: SKILL.md frontmatter lists required envs but README/.env include additional keys (OPENAI_API_KEY, FB_CLIENT_TOKEN) which the code loads (OPENAI_API_KEY is optional for images).
!
Instruction Scope
Runtime instructions ask you to create/use a .env with credentials and run helper scripts (fb_token_helper.py) and the pipeline. The repository as packaged already contains a .env file with real-looking secrets and a large output_log — that means sensitive credentials are bundled and could be reused or leaked. A pre-scan pattern flagged a base64-block in SKILL.md (possible prompt-injection). The instructions do not appear to call external endpoints beyond the declared services, but the presence of committed secrets and injection indicators elevates risk.
Install Mechanism
No install spec is provided (instruction-only skill), and dependencies are standard Python packages listed in requirements.txt. There are no downloads from arbitrary URLs or archive extraction steps in the manifest. Risk here is from running included Python code (which may call network APIs) rather than from an installer payload.
!
Credentials
The skill legitimately needs API tokens for Gemini, Apify, and Facebook; those are declared. However, the package contains a .env file with actual credentials (OpenAI key, Apify token, FB_APP_SECRET, FB_PAGE_ACCESS_TOKEN) committed in the manifest — this is disproportionate and unsafe. Including working secrets in the repository is unexpected for a distributed skill and presents high risk (leaked/compromised credentials).
Persistence & Privilege
The skill is not always-included and is user-invocable (normal). There is a sitecustomize.py that modifies Python stdout encoding; sitecustomize is auto-imported by Python when on sys.path, which is a modest scope change but not inherently malicious. The skill does not request elevated system persistence or modify other skills' config.
Scan Findings in Context
[base64-block] unexpected: Static pre-scan flagged a base64-block pattern in SKILL.md (prompt-injection indicator). The pipeline's purpose (scrape → rewrite → post) does not require embedded base64 payloads; this finding could indicate attempted prompt manipulation or simply an encoded block in documentation. Treat as suspicious and inspect SKILL.md content for hidden instructions or encoded payloads.
What to consider before installing
Do not install or run this skill on any account containing real, valuable credentials until you address the issues below: 1) The repository includes a .env file with what look like real API keys and a Facebook page access token — treat these as compromised. If you or your org used these keys, rotate/revoke them immediately. 2) Remove any secrets from the codebase and ensure .env is listed in .gitignore before using; provide your own credentials at runtime instead. 3) Inspect SKILL.md and code for the flagged base64/prompt-injection block and review any encoded or obfuscated content; decode and verify intent before running. 4) Review fb_token_helper.py behavior (it will walk you through exchanging tokens) and ensure the Page token scopes/permissions are appropriate and limited. 5) Run the code in a sandboxed environment with disposable test accounts (Facebook test pages, sandbox API keys) and monitor outbound network calls. 6) If you want to proceed after remediation: remove committed secrets, audit the code for hidden endpoints or exfiltration, and limit tokens to least privilege. If you need, I can: a) point to exact lines/files with secrets and how to sanitize them, b) summarize the fb_token_helper.py flow, or c) suggest a safe test checklist.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97cwdf9dvvftgwy4brdxtpyy1836gb5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
GEMINI_API_KEYrequired
APIFY_API_TOKENrequired
FB_APP_IDrequired
FB_APP_SECRETrequired
FB_PAGE_IDrequired
FB_PAGE_ACCESS_TOKENrequired

SKILL.md

🤖 OpenClaw AI Content Pipeline (Analyze + Publish)

Purpose

This is a production-ready OpenClaw Skill that merges a Web Crawler, an AI Rewriter (Google Gemini), and a Facebook Auto-Publisher into one seamless pipeline. It reads URLs (news articles or Facebook posts), rewrites them into engaging social media captions, and posts them directly to your Fanpage.

Core Capabilities

  • Analyze Mode: Extracts data from URLs via Python requests/BeautifulSoup (for static news) or Apify (for JS-heavy content like Facebook). Generates localized rewritten text via Gemini 2.5 Flash.
  • Publish Mode: Pushes the generated content directly to a Facebook Page via Graph API v21.0.
  • Batch Processing: Can ingest URLs line-by-line from a text file, process them in bulk, and save JSON reports.

Architecture Map

  • run.bat / main.py ← Central Orchestrators (CLI Entry points)
  • agents/crawler_agent.py ← Hybrid Crawler (Native + Apify API)
  • agents/writer_agent.py ← AI Content Generator (Gemini Integration)
  • agents/fb_publisher_agent.py ← Graph API Poster (Messages & Images)
  • config.py ← Environment Loader & System Validation

Setup & Environment

Ensure you create a .env file at the root with the following variables:

# AI Models
GEMINI_API_KEY=...
OPENAI_API_KEY=...    # Optional: For DALL-E 3 image generation

# Scraping
APIFY_API_TOKEN=...

# Facebook Graph API
FB_APP_ID=...
FB_APP_SECRET=...
FB_PAGE_ID=...
FB_PAGE_ACCESS_TOKEN=...

Usage commands

From your terminal, run the following commands (Windows run.bat wrappers):

1. Analyze (Test scrape and text rewrite)

# Analyze a single URL
run.bat analyze "https://vnexpress.net/..."

# Analyze and save as JSON
run.bat analyze "https://dantri.com.vn/..." --save

# Batch analyze from a text file
run.bat analyze-file urls.txt

2. Publish (Post directly to Facebook)

# Test Graph API Token connection
run.bat test
run.bat test-post

# Full pipeline (Crawl -> Rewrite -> Post to Fanpage)
run.bat run "https://dantri.com.vn/..."

# Pipeline dry-run (No actual post)
run.bat dry "https://dantri.com.vn/..."

Files

24 total
Select a file
Select a file to preview.

Comments

Loading comments…